b'   December 17, 2004\n\n\n\n\nInformation Technology\nDoD FY 2004 Implementation of the\nFederal Information Security\nManagement Act for Information\nTechnology Training and Awareness\n(D-2005-025)\n\n\n\n\n              Department of Defense\n          Office of the Inspector General\nQuality              Integrity        Accountability\n\x0c  Additional Copies\n\n  To obtain additional copies of this report, visit the Web site of the Inspector\n  General of the Department of Defense at http://www.dodig.osd.mil/audit/reports or\n  contact the Secondary Reports Distribution Unit, Audit Followup and Technical\n  Support at (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact Audit Followup and\n  Technical Support at (703) 604-8940 (DSN 664-8940) or fax (703) 604-8932.\n  Ideas and requests can also be mailed to:\n\n                   ODIG-AUD (ATTN: AFTS Audit Suggestions)\n                   Inspector General of the Department of Defense\n                         400 Army Navy Drive (Room 801)\n                             Arlington, VA 22202-4704\n\n\n\n\nAcronyms\nASD (NII)/CIO         Assistant Secretary of Defense for Networks and Information\n                         Integration/Chief Information Officer\nDeCA                  Defense Commissary Agency\nDCMA                  Defense Contract Management Agency\nDISA                  Defense Information Systems Agency\nFISMA                 Federal Information Security Management Act\nFMFIA                 Federal Managers Financial Integrity Act\nIA                    Information Assurance\nIT                    Information Technology\nNIST                  National Institute of Standards and Technology\nOMB                   Office of Management and Budget\nPOA&M                 Plan of Action and Milestones\nWHS                   Washington Headquarters Service\n\x0c                            INSPECTOR GENERAL\n                           DEPARTMENT OF DEFENSE\n                              400 ARMY NAVY DRIVE\n                         ARLINGTON, VIRGINIA 22202-4704\n\n\n\n\n                                                                      December 17,2004\n\nMEMORANDUM FOR UNDER SECRETARY OF DEFENSE FOR PERSONNEL\n                 AND READINESS\n               ASSISTANT SECRETARY OF DEFENSE FOR NETWORKS\n                 AND INFORMATION INTEGRATIONICHIEF\n                 INFORMATION OFFICER\nSUBJECT: Report on DoD FY 2004 Implementation of the Federal Information Security\n         Management Act for Information Technology Training and Awareness\n         (Report No. D-2005-025)\n\n      We are providing this report for review and comment. We considered\nmanagement comments on a draft of this report in preparing the final report.\n        DoD Directive 7650.3 requires that all issues be resolved promptly. All the\nrecommendations remain unresolved. Therefore, we request that the Assistant Secretary\nof Defense for Networks and Information IntegratiodDoD Chief Information Officer and\nthe Under Secretary of Defense for Personnel and Readiness provide comments on this\nfinal report by January 2 1,2005,\n       If possible, please send management comments in electronic format (Adobe\nAcrobat file only) to Audam@,dodia.osd.mil.\n                              -                 Copies of the management comments must\ncontain the actual signature of the authorizing official. We cannot accept the I Signed 1\nsymbol in place of the actual signature. If you arrange to send classified comments\nelectronically, they must be sent over the SECRET Internet Protocol Router Network\n(STPRNET).\n       We appreciate the courtesies extended to the staff. Questions should be directed\nto Ms. Kathryn M. Truex at (703) 604-8966 (DSN 664-8966) or Ms. Sarah Davis at (703)\n604-9031 (DSN 664-9031). See Appendix D for the report distribution. The team\nmembers are listed inside the back cover.\n                               By direction of the Deputy Inspector General for Auditing:\n\n\n\n\n                                     Assistant Inspector General\n                             for Acquisition and Technology Management\n\x0c          Office of the Inspector General of the Department of Defense\nReport No. D-2005-025                                                 December 17, 2004\n   (Project No. D2004AL-0136)\n\n         DoD FY 2004 Implementation of the Federal Information\n               Security Management Act for Information\n                  Technology Training and Awareness\n\n                                Executive Summary\n\nWho Should Read This Report and Why? The DoD Chief Information Officer, the\nUnder Secretary of Defense for Personnel and Readiness, the Director of the Defense\nInformation System Agency, and the Chief Information Officers of DoD Components\nshould read this report to obtain information about DoD implementation of the Federal\nInformation Security Management Act training requirements. This report discusses the\noverall ability of DoD to report reliable training information required by the Federal\nInformation Security Management Act and the effectiveness of the process that three\nDoD Components used to develop the required training information.\n\nBackground. This report is in response to Federal Information System Management Act\nrequirements. On December 17, 2002, the President signed the E-Government Act\nof 2002 (Public Law 107-347) that included title III, section 301, \xe2\x80\x9cFederal Information\nSecurity Management Act of 2002.\xe2\x80\x9d The Federal Information Security Management Act\nprovides a comprehensive framework for ensuring the effectiveness of information\nsecurity controls, management, and oversight required to protect Federal information and\ninformation systems. The Federal Information Security Management Act directs each\nagency to develop, document, and implement an agencywide information security\nprogram and to report annually to the Director of the Office of the Management and\nBudget, congressional committees, and the General Accountability Office on the\nadequacy and effectiveness of its information security policies, procedures, and practices.\nIn addition, the Federal Information Security Management Act requires the Inspectors\nGeneral of each agency to perform an independent evaluation of the agency\xe2\x80\x99s\ninformation security programs and practices.\n\nOn August 23, 2004, the Office of Management and Budget issued Memorandum 04-25,\n\xe2\x80\x9cFY 2004 Reporting Instructions for the Federal Information Security Management Act,\xe2\x80\x9d\nwhich included a set of questions for each agency and its Inspector General to answer as\npart of the Federal Information Security Management Act reporting process. Section G\nasked how many agency employees received security awareness training in FY 2004 and\nhow many employees with significant information technology security responsibilities\nreceived specialized training.\n\nResults. The DoD Chief Information Officer did not ensure that training information\nthat the DoD Components reported in response to the Federal Information Security\nManagement Act data calls was accurate and supportable. In particular, the DoD Chief\nInformation Officer did not ensure that all DoD Components had appropriately defined\nand identified employees with significant information technology security\nresponsibilities, developed training requirements for those information technology\n\x0csecurity professionals, or established processes to identify and track training taken by\nthose individuals. This conclusion is specifically illustrated by the result of our review of\nthree DoD Components. As a result, the DoD response to the training portion of the\nOffice of Management and Budget FY 2004 reporting instructions for the Federal\nInformation Security Management Act may not accurately reflect DoD enterprisewide\ncompliance with the Federal Information Security Management Act requirements.\n(finding A).\n\nThe DoD Chief Information Officer did not ensure that security awareness training\ninformation that the DoD Components reported in response to the Federal Information\nSecurity Management Act data calls was accurate and supportable. Specifically, the\nChief Information Officer did not ensure that the DoD Components had effective\nprocesses in place to track and monitor completion of security awareness training\nrequirements. Although the Defense Commissary Agency and Washington Headquarters\nService had processes in place to ensure that new employees receive initial security\nawareness training, the Washington Headquarters Service was the only agency of the\nthree reviewed that had a process to ensure that its network users were receiving the\nrequired periodic training. This condition occurred because the DoD Chief Information\nOfficer had not established specific reporting mechanisms to monitor and oversee\ncompliance with DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d by DoD\nComponents. As a result, security awareness training information that the DoD reported\nin FY 2004 cannot be relied upon to accurately reflect DoD enterprisewide compliance\nwith Federal Information Security Management Act requirements, and network users that\nhave not received training could introduce security vulnerabilities into DoD networks\n(finding B). See the Findings section of the report for the detailed recommendations.\n\nManagement Comments. The Director, Defense Information Assurance Program either\ndid not concur with the recommendations or stated that the recommendations were no\nlonger applicable because the recommended actions had been completed. Specifically,\nthe comments stated that employees with significant information technology security\nresponsibilities are defined in Appendix AP1 of the Draft Manual DoD 8570.1-M. The\ncomments also stated that US Code Title 10 assigns the Services specific responsibilities\nfor equipping, training, and providing the forces. Additionally, the comments stated that\nthe Assistant Secretary of Defense for Networks and Information Integration has been\nworking with the Under Secretary of Defense of Personnel and Readiness to develop\nmethodologies for DoD Components to identify information assurance positions and\nmanage and track employee training and certification requirements. See the Findings\nsection of the report for a discussion of management comments and the Management\nComments section of the report for the complete text of the comments.\n\nAudit Response. The Director, Defense Information Assurance Program comments\nwere nonresponsive to the recommendations. DoD Directive 8570.1 specifically requires\nthe Assistant Secretary for Networks and Information Integration/DoD Chief Information\nOfficer to develop and promulgate additional guidance relating to information assurance\ntraining, certification, and workforce management requirements. The Directive also\nstates that personnel and manpower databases under Under Secretary of Defense for\nPersonnel and Readiness authority capture and report requirements for information\nassurance training and certification. Additionally, the implementing manual for DoD\nDirective 8570.1 has not yet been issued; until such a manual is issued and complied\nwith, the recommended actions will not be completed. Therefore, we request that the\nAssistant Secretary for Networks and Information Integration/DoD Chief Information\nOfficer and the Under Secretary of Defense for Personnel and Readiness provide\nadditional comments by January 21, 2005.\n\n\n                                             ii\n\x0cTable of Contents\n\nExecutive Summary                                                               i\n\nBackground                                                                      1\n\nObjectives                                                                      2\n\nFindings\n     A. Specialized Training for Employees with Significant Security\n          Responsibilities for Information Technology                           3\n     B. Security Awareness Training                                            16\n\nAppendixes\n     A. Scope and Methodology                                                  25\n         Management Control Program Review                                     25\n         Prior Coverage                                                        26\n     B. National Institute of Standards and Technology Guidance for Security\n          Awareness and Training                                               27\n     C. DoD Requirements                                                       29\n     D. Report Distribution                                                    32\n\nManagement Comments\n     Defense Information Assurance Program                                     35\n\x0cBackground\n    Federal Information Security Management Act of 2002. On December 17,\n    2002, the President signed the E-Government Act of 2002 (Public Law 107-347)\n    that included title III, section 301, \xe2\x80\x9cFederal Information Security Management\n    Act of 2002.\xe2\x80\x9d The Federal Information Security Management Act (FISMA)\n    provides a comprehensive framework for ensuring the effectiveness of\n    information security controls, management, and oversight required to protect\n    Federal information and information systems. FISMA directs each agency to\n    develop, document, and implement an agencywide information security program\n    and to report annually to the Director of the Office of the Management and\n    Budget (OMB), congressional committees, and the General Accountability Office\n    on the adequacy and effectiveness of its information security policies, procedures,\n    and practices. In addition, FISMA requires Inspectors General to perform an\n    independent evaluation of the information security programs and practices of their\n    agencies.\n\n    OMB Guidance and Reporting Instructions. OMB identified security training\n    and awareness as one of six Governmentwide security weaknesses in its FY 2001\n    FISMA report to Congress and since then has required Federal agencies to report\n    on security awareness and specialized training every year. On August 23, 2004,\n    OMB issued Memorandum 04-25, \xe2\x80\x9cFY 2004 Reporting Instructions for the\n    Federal Information Security Management Act,\xe2\x80\x9d which included a set of\n    questions that each agency and its Inspector General must answer as part of the\n    FISMA reporting process. Section G asked how many agency employees\n    received security awareness training in FY 2004 and how many employees with\n    significant information technology (IT) security responsibilities received\n    specialized training.\n\n    Evolution of Federal Training Requirements. FISMA requires security\n    awareness training for all IT users and additional training for personnel with\n    significant IT security responsibilities. A requirement for periodic training in\n    computer security awareness has existed since the enactment of the Computer\n    Security Act of 1987. The Computer Security Act also assigned the responsibility\n    for developing standards and guidelines for Federal computer security training to\n    the National Institute of Standards and Technology (NIST). In November 1989,\n    NIST issued Special Publication 500-172, \xe2\x80\x9cComputer Security Training\n    Guidelines,\xe2\x80\x9d which provided a framework for determining the training needs of\n    particular categories of employees. In January 1992, the Office of Personnel and\n    Management issued a Federal Personnel regulation, \xe2\x80\x9cEmployees Responsible for\n    the Management or Use of Federal Computer Systems\xe2\x80\x9d which made the\n    recommended NIST guidelines mandatory. In April 1998, NIST issued Special\n    Publication 800-16, \xe2\x80\x9cInformation Technology Security Training Requirements: A\n    Role- and Performance-Based Model,\xe2\x80\x9d which focused on the job functions, roles,\n    and responsibilities of each individual, rather than on job titles. The new\n    approach recognized that an individual may have more than one role in an\n    organization and would need IT security training to satisfy the specific\n    responsibilities of each role. In October 2003, NIST issued Special\n    Publication 800-50, \xe2\x80\x9cBuilding an Information Technology Security Awareness\n    and Training Program,\xe2\x80\x9d as a companion document to NIST 800-16. NIST 800-50\n    discusses how to build an IT security awareness and training program, and\n\n                                         1\n\x0c    NIST 800-16 describes an approach to role-based IT security training. For more\n    information on NIST 800-50 and 800-16, see Appendix B.\n\n\nObjectives\n    The overall audit objective was to assess DoD implementation of title III,\n    section 301, \xe2\x80\x9cFederal Information Security Management Act,\xe2\x80\x9d of the\n    E-Government Act of 2002 (Public Law 107-347). Specifically, we evaluated\n    whether all agency employees, including contractors, received IT security training\n    and awareness and whether employees with significant IT security responsibilities\n    were properly trained for their level of responsibility. See Appendix A for a\n    discussion of the scope and methodology and prior coverage related to the\n    objectives.\n\n\n\n\n                                        2\n\x0c            A. Specialized Training for Employees\n               with Significant Security\n               Responsibilities for Information\n               Technology\n            The Assistant Secretary of Defense for Networks and Information\n            Integration/DoD Chief Information Officer (DoD CIO) did not ensure that\n            training information that the DoD Components reported in response to\n            FISMA data calls was accurate and supportable. In particular, the DoD\n            CIO did not ensure that all DoD Components had appropriately defined\n            and identified employees with significant IT security responsibilities,\n            developed training and certification requirements for those IT security\n            professionals, or established processes to track and monitor training taken\n            by those individuals. This conclusion is specifically illustrated by the\n            result of our review of three DoD Components. This condition occurred\n            because the DoD CIO did not implement the requirements of numerous\n            policy documents issued since 1998 and did not establish specific\n            reporting mechanisms to monitor and oversee accomplishment of those\n            requirements by DoD Components. Further, DoD did not consistently\n            report on actions required to correct this ongoing enterprisewide\n            deficiency. As a result, the DoD response to the training portion of the\n            OMB FY 2004 reporting instructions for FISMA may not accurately\n            reflect DoD enterprisewide compliance with FISMA requirements.\n\n\nNIST Special Publication 800-50\n     OMB Memorandum 04-25, \xe2\x80\x9cFY 2004 Reporting Instructions for the Federal\n     Information Security Management Act,\xe2\x80\x9d August 23, 2004, asks Federal agencies\n     whether their employees with significant IT security responsibilities received\n     specialized training as described in NIST Special Publications 800-50, \xe2\x80\x9cBuilding\n     an Information Technology Security Awareness and Training Program,\xe2\x80\x9d October\n     2003 and 800-16, \xe2\x80\x9cInformation Technology Security Training Requirements:\n     A Role- and Performance-Based Model,\xe2\x80\x9d April 1998. NIST 800-50 was more\n     appropriate for our review of specialized training than NIST 800-16 because it\n     focuses on a higher strategic level that better reflects the state of the DoD training\n     program. According to NIST 800-50, agency Chief Information Officers should\n     establish an overall strategy for the IT security awareness and training program;\n     ensure that the agency head, senior managers, and others understand the concepts\n     and strategies of the security awareness and training program and are informed of\n     the progress of the program\xe2\x80\x99s implementation; and ensure that effective tracking\n     and reporting mechanisms are in place.\n\n     NIST 800-50 describes the four phases of a training program: the program\n     design, awareness and training material development, the program\n     implementation, and postimplementation. The very first step in the design phase\n     is determining the program structure. Organizations, such as DoD, that are\n     relatively large, spread over a wide geographic area, and have organizational units\n\n\n                                           3\n\x0c    with separate and distinct missions often use a fully decentralized structure. In a\n    fully decentralized program, a central authority, such as the DoD CIO, sets the\n    overall training policy, and the operating units, such as the DoD Components,\n    develop specific training plans and report the accomplishment of those plans to\n    the central authority. In addition, NIST 800-50 endorses using a central database\n    in the postimplementation phase. Agency CIO\xe2\x80\x99s could use the information in the\n    central database to inform the agency head and other senior management officials\n    of the compliance of the IT security awareness and training program, and agency\n    auditors could use it to monitor compliance with security directives and agency\n    policy. For more information on NIST 800-50 and 800-16, see Appendix B.\n\n\nImplementation of DoD Guidance\n    DoD guidance since 1998 has acknowledged a need to identify personnel\n    performing information assurance (IA) and IT duties, to develop training and\n    certification requirements for those people, and to implement a process for\n    tracking implementation of those requirements. A memorandum issued in June\n    1998 required each DoD Component to develop a training and certification plan\n    within 45 days, report to the DoD CIO on the implementation of that plan every\n    quarter, and fully implement the plan by December 2000. In August 1999, an IA\n    and IT human resources integrated process team issued a report on DoD training,\n    certification, and personnel management. The report included recommendations\n    to identify IT personnel, establish training and certification programs, and track\n    implementation of those programs. A Deputy Secretary of Defense\n    memorandum, issued in July 2000, endorsed the integrated process team\n    recommendations, assigned recommendations to specific organizations requiring\n    them to develop and submit implementation plans within 90 days, and required\n    the DoD CIO to provide a consolidated status report on execution of those plans\n    every 60 days.\n\n    DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d issued on\n    February 6, 2003, did not fix the problems or implement the requirements of\n    either the June 1998 memorandum or the July 2000 memorandum.\n    Instruction 8500.2 reiterated the need for a DoD core curriculum for IA training\n    and awareness and an IA skills certification standard. In addition, it required the\n    DoD Components to follow the June 1998 and July 2000 memorandums, even\n    though those memorandums outlined specific timelines for implementing\n    corrective actions that should have been completed prior to issuance of DoD\n    Instruction 8500.2. DoD Directive 8500.1, \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d issued on\n    October 24, 2002, and certified current as of November 21, 2003, also required\n    the DoD CIO to develop and promulgate additional IA policy and guidance on IA\n    training and education.\n\n    On August 15, 2004, DoD issued DoD Directive 8570.1, \xe2\x80\x9cInformation Assurance\n    Training, Certification and Workforce Management.\xe2\x80\x9d DoD Directive 8570.1\n    outlined roles and responsibilities that are consistent with a fully decentralized\n    organization as defined in NIST 800-50; however, similar requirements have\n    existed in other policy documents for years and have yet to be implemented. DoD\n    policies are described in more detail in Appendix C. Better metrics, timelines,\n    reporting mechanisms, and oversight are needed to enforce all of the requirements\n\n                                         4\n\x0c    in DoD Directive 8570.1. An implementing manual for DoD Directive 8570.1 is\n    being staffed and is expected to be released in April 2005. Until the\n    implementing manual is issued and complied with, DoD needs to report its\n    training deficiencies under the Federal Managers Financial Integrity Act\n    (FMFIA), as discussed later in this finding.\n\n\nReview of Selected DoD Component Training Programs\n    Because DoD did not use an enterprisewide system, database, or process to\n    identify employees performing significant IT security responsibilities and to track\n    the specialized training taken by those employees, we selected 3 of the 21 DoD\n    Components, the Defense Commissary Agency (DeCA), the Defense Contract\n    Management Agency (DCMA), and the Washington Headquarters Service (WHS)\n    that reported on specialized training for employees with significant IT security\n    responsibilities in the DoD FY 2003 FISMA report for our review.\n\n    Identification of Employees with Significant IT Security Responsibilities.\n    One of the most significant findings in the IA and IT human resources integrated\n    process team August 1999 report was that DoD was unable to expeditiously\n    determine who was performing IT activities and who had access to the DoD\n    information infrastructure. The integrated process team recommended that DoD\n    identify all people who perform IT functions in DoD personnel databases so that\n    their training can be tracked. On July 14, 2000, the Deputy Secretary of Defense\n    endorsed the integrated process team recommendation and required the Under\n    Secretary of Defense for Personnel and Readiness to submit an implementation\n    plan within 90 days. In the FY 2002 Performance and Accountability Report\n    mandated by the FMFIA of 1982, DoD reported that it would develop the\n    capability to identify and track IA and IT personnel in the civilian databases by\n    June 2003 and in the military databases by June 2004.\n\n    The FY 2004 DoD FISMA reporting guidance issued by the DoD CIO on\n    March 15, 2004, defined significant security responsibilities as those performed\n    by Designated Approving Authorities, IA officers, IA managers, system\n    administrators, computer emergency response team members, and anyone with\n    privileged access to a system or network. As of May 2004, some DoD\n    Components still were not using personnel databases to identify their employees\n    with significant IT security responsibilities for FISMA reporting purposes.\n    DeCA, DCMA, and WHS used data calls and the institutionalized knowledge of\n    senior IT managers, rather than a personnel database, to identify their employees\n    with significant IT security responsibilities. In addition, the number of IT\n    employees that DCMA identified differed significantly from the number of\n    employees that occupied IT-related positions in its personnel databases.\n\n    In FY 2003, DCMA reported that it had 98 employees with significant IT security\n    responsibilities. In April 2004, the East and West DCMA Field Service Division\n    Chiefs and DCMA headquarters personnel identified 199 IT security\n\n\n\n\n                                         5\n\x0c           professionals. In June 2004, the DCMA civilian personnel database contained\n           472 civilian employees who occupied traditional IT-related occupational series.1\n\n           Training and Certification Requirements. In June 1998, the DoD CIO and the\n           Under Secretary of Defense for Personnel and Readiness issued a memorandum\n           that acknowledged a need for better training of employees with significant IT\n           security responsibilities. That memorandum required DoD Components to\n           develop and implement certification plans within 45 days, to report on progress\n           against those plans every quarter, and to fully implement those plans by\n           December 2000. In July 2000, the Deputy Secretary of Defense assigned the\n           Under Secretary of Defense for Personnel and Readiness with the responsibility\n           for establishing a requirement for DoD Components to develop mandatory\n           training or certification programs. Additionally, DoD Instruction 8500.2, issued\n           in February 2003, required DoD Components to follow the June 1998 and July\n           2000 requirements. Although Component-level certification plans have been\n           required since 1998, DoD did not develop mechanisms to ensure that DoD\n           Components comply with these requirements. DeCA and DCMA did not have\n           mandatory training or certification requirements for their employees with\n           significant IT security responsibilities. WHS had specific training requirements\n           for Designated Approving Authorities, IA officers, IA managers, and system\n           administrators.\n\n                   DeCA Requirements. DeCA was still developing a comprehensive\n           training program with minimum training requirements for its employees with\n           significant IT security responsibilities. Prior efforts to define training\n           requirements either were not implemented or did not cover all IT security\n           professionals. The DeCA \xe2\x80\x9cInformation Assurance Training Plan for FYs 2001\n           and 2002\xe2\x80\x9d provided training requirements for system administrators only and was\n           never fully implemented. According to DeCA officials, because their IA office\n           had limited resources, they decided to focus on improving the system certification\n           and accreditation status. In FY 2002, DeCA developed a training program for its\n           IA officers that included three required classes and a database to track completion\n           of those requirements. DeCA plans to modify the classes required for the IA\n           officers. DeCA has been developing an IA Training Handbook since 2003. The\n           handbook is the agency\xe2\x80\x99s best effort to date to develop and document training\n           requirements for employees with significant IT security responsibilities; however,\n           the handbook had not been completed and issued during our review of DeCA.\n\n                   DCMA Requirements. DCMA did not have mandatory training and\n           certification requirements for its employees with significant IT security\n           responsibilities. Instead, DCMA used an IT Career Guide that provided\n           information about the desired experience, education, and training goals for\n           DCMA employees who perform IT as their primary function. The Career Guide\n           has 3 career levels for the 10 specialty areas identified in the GS-2210 job series.\n           Although the Career Guide provides a framework of recommended training for\n\n1\n    According to a study published in May 2004 by the Federal CIO Council\xe2\x80\x99s Committee on Workforce and\n    Human Capital for IT, there are five traditional IT-related occupational series. They are GS-2210\n    Information Technology Management, GS-334 Computer Specialist (this series was canceled by the\n    Office of Personnel and Management, but not all agencies have converted their Computer Specialists to\n    other appropriate series), GS-391 Telecommunications, GS-1550 Computer Science, and GS-854\n    Computer Engineering.\n\n\n                                                     6\n\x0ceach specialty and career level, DCMA representatives were unable to explain\nhow the IT Career Guide is implemented. They could not describe processes for\napproving and documenting achievement of each career level. In addition to the\nIT Career Guide, DCMA was developing a certification program for systems\nadministrators, which will focus on commercial certifications such as Microsoft,\nORACLE, and CISCO.\n\n        WHS Requirements. WHS had specific training requirements for\nemployees with significant IT security responsibilities that were primarily based\nupon requirements listed in appendixes of the June 1998 memorandum and WHS\nIA Bulletin 2001-002, \xe2\x80\x9cOrganizational IA Training Resources,\xe2\x80\x9d April 10, 2001;\nhowever, they were not formally documented. Designated Approving Authorities\nand IA managers must complete the \xe2\x80\x9cDAA, Designated Approving Authority\xe2\x80\x9d\ncomputer-based training provided by the Defense Information Security Agency.\nLevel I system administrators must complete five specific training courses, pass a\nsystem administrator certification exam, and obtain supervisory validation of\ncompetency for the Level I tasks included in Appendix A of the June 1998\nmemorandum. Level II system administrators must complete two additional\ntraining courses and obtain supervisory validation of the Level II tasks. Level III\nsystem administrators must have additional formal training, knowledge of\nnetworking, fluency in one or more command languages, management or\nsupervisory experience, and the ability to manage the budget, design the security\narchitecture, and integrate security solutions. IA officers must take four of the\nfive training courses required for Level I system administrators.\n\nTracking and Monitoring. Although the July 2000 Deputy Secretary of Defense\nmemorandum specifically required the Under Secretary of Defense for Personnel\nand Readiness to require DoD Components to develop a capability to readily\nproduce detailed answers about the status of certifications, only WHS had a\nprocess in place to identify and track training taken by employees with significant\nIT security responsibilities. DeCA and DCMA relied on data calls to provide\ntraining records for some or all of their IT security professionals.\n\n        DeCA Process. Prior to May 2004, DeCA did not have either a database\nor a central location for maintaining its training records. DeCA used a data call to\nprovide training records in June 2004 for 128 employees with significant IT\nsecurity responsibilities and recorded the results in an Excel spreadsheet. DeCA\nIT security professionals received very little training since 2001. According to\nthe information that DeCA gathered from those employees, only 31 of 128 had\ntaken IT-related training, other than the IA security awareness training, from\nJanuary 2001 through June 2004. Of those 31, only 1 had taken more than two\nIT-related training courses.\n\n        DCMA Process. Although DCMA used different automated programs or\ndatabases for training, it did not have a central database of training and\ncertification records that could be used to track and monitor training for its\nemployees with significant IT security responsibilities. We requested training\nrecords for a judgmental sample of 25 employees with significant IT security\nresponsibilities. DCMA forwarded our request to each of the individuals that we\nselected. Those employees submitted their training information to the DCMA\ntraining representative, who then consolidated the information and provided it to\nus. DCMA provided training records for 13 of the 25 employees that we selected.\n\n                                     7\n\x0c    Only 5 of the 13 employees with significant IT security responsibilities that\n    provided training records had taken any IT-related training courses, other than IA\n    security awareness training, since January 2001. Of those five, only two had\n    taken more than two IT-related training courses.\n\n             WHS Process. WHS is implementing a software management tool to\n    manage training for its employees with significant IT security responsibilities in\n    two of its six Directorates. When demonstrated in May 2004, the program was\n    capable of identifying the names of all employees in the two Directorates and\n    displaying their individual training histories. The tracking and monitoring\n    program will be extended to the other four Directorates, depending on its success\n    in the first two directorates.\n\n    Training records for the four Directorates that are not using the software\n    management tool are maintained by each Directorate IT Manager. Employees\n    with significant IT security responsibilities are responsible for providing their IT\n    Manager with appropriate documentation on completed training, and IT Managers\n    are responsible for ensuring that their designated security personnel complete the\n    appropriate IA training. WHS provided training records for a judgmental sample\n    of the 25 employees that we chose. Based on the documentation WHS provided\n    for the judgmental sample, employees received the training required by WHS for\n    their position responsibilities.\n\n\nDeficiency Reporting and Tracking\n    DoD has not consistently reported on training-related planned actions included in\n    the FMFIA and FISMA reports. DoD reported two training-related corrective\n    actions in the FY 2002 FMFIA report, but did not report on the progress in\n    completing those actions in the FY 2003 FMFIA report. DoD also reported a\n    training-related plan of action and milestones (POA&M) in its FY 2003 FISMA\n    report, but the POA&M only addressed maintaining the currency of available\n    training material and did not address specific weaknesses identified in the DoD\n    FY 2002 FMFIA report or the August 1999 IA and IT human resources integrated\n    process team report.\n\n    Federal Managers Financial Integrity Act. The FMFIA of 1982 (section 3512,\n    title 31, United States Code) requires an annual assessment of and report on\n    management controls. Specifically, section 2 of the FMFIA requires the head of\n    each executive agency to annually report to the President and Congress on\n    material weaknesses in the agency\xe2\x80\x99s controls and include a statement on whether\n    there is reasonable assurance that the agency\xe2\x80\x99s controls are achieving their\n    intended objectives. A material weakness is a deficiency that the agency head\n    determines to be significant enough to be reported outside the agency. The report\n    on material weaknesses must include agency plans and progress in correcting the\n    material weaknesses. In addition, FISMA requires each agency to address the\n    adequacy and effectiveness of information policies, procedures, and practices as\n    part of the FMFIA review and to report any related significant deficiencies as a\n    material weakness in the FMFIA report.\n\n\n\n                                         8\n\x0c           OMB Circular A-123, \xe2\x80\x9cManagement Accountability and Control,\xe2\x80\x9d June 21, 1995,\n           provides implementing guidance for the FMFIA. It states that agency managers\n           are responsible for taking timely and effective action to correct management\n           control deficiencies and should be considered an agency priority. Plans should be\n           developed to correct all material weaknesses, and progress against those plans\n           should be periodically assessed and reported to agency management. A\n           determination that a deficiency has been corrected should be made only when\n           sufficient corrective actions have been taken and the desired results achieved.\n           This determination should be in writing and available for review by appropriate\n           officials.\n\n           In FY 2002, DoD reported information assurance as one of eight systemic\n           weaknesses2 and included two planned actions for specialized training of DoD\n           employees performing significant IT security responsibilities. DoD stated that the\n           DoD CIO would complete enterprisewide certification standards for IA and IT\n           professionals by May 2003, and identify and track IA and IT civilian personnel in\n           databases by June 2003 and in military personnel in databases by June 2004.\n           DoD did not report on the progress of these actions in the FY 2003 FMFIA report\n           signed on December 23, 2003, even though the DoD IA Strategic Plan released in\n           January 2004 acknowledged a continuing need for completing certification\n           standards and identifying IA and IT personnel in databases.\n\n           Plan of Action and Milestones. The purpose of a POA&M is to assist agencies\n           in identifying, assessing, prioritizing, and monitoring the progress in correcting\n           security weaknesses found in programs and systems. OMB Memorandum 03-19\n           required agencies to develop POA&Ms for all programs and systems where an IT\n           security weakness was found. Agency progress in correcting weaknesses in the\n           POA&Ms must be reported to the OMB Director as part of FISMA.\n\n           In the FY 2003 FISMA report, DoD reported a POA&M for maintaining\n           up-to-date training and stated that additional training material would be provided\n           to DoD employees. The POA&M was incomplete because it did not address\n           weaknesses and corrective actions discussed in either the FY 2002 FMFIA report\n           or the 1999 IA and IT human resources integrated process team report. For\n           example, it did not address either the DoD inability to identify and track\n           employees with significant IT security responsibilities or the lack of training and\n           certification requirements for those people. In addition, the POA&M did not\n           provide estimated completion dates for the planned corrective actions. As a\n           result, this weakness was closed in July 2004, even though serious IT training\n           issues still exist.\n\n\nFISMA Reporting\n           DoD reported unsupportable training information to OMB and Congress in\n           September 2003 because the DoD did not have a definitive means to identify\n           employees with significant IT security responsibilities or an enterprisewide\n\n2\n    DoD defines systemic weakness as those management control deficiencies that may affect a significant\n    number of DoD Components and also have an adverse impact on the overall operations of DoD.\n\n\n                                                      9\n\x0c    training standard and tracking mechanism. DeCA, DCMA, and WHS used data\n    calls and the institutionalized knowledge of senior IT managers, rather than a\n    personnel database, to identify their employees with significant IT security\n    responsibilities. Therefore, the number of employees reported by DoD are subject\n    to interpretation and change. For example, DeCA, DCMA, and WHS reported\n    21, 98, and 34 employees with significant IT security responsibilities during the\n    FY 2003 FISMA reporting process, but identified 128, 199, and 76 employees\n    with significant IT security responsibilities during our review.\n\n    In FY 2003, DoD reported that 7 of 21 DeCA employees with significant IT\n    security responsibilities and 98 of 98 DCMA employees with significant IT\n    security responsibilities received specialized training. However, neither DeCA\n    nor DCMA could explain their criteria for determining whether their employees\n    with significant IT security responsibilities had received adequate specialized\n    training. Until DoD implements prior recommendations for developing minimum\n    training and certification requirements and for identifying and tracking training of\n    employees with significant IT security responsibilities, it will be unable to\n    provide accurate and meaningful information on the training of those employees\n    to OMB and Congress.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    A. We recommend that the Assistant Secretary of Defense for Networks and\n    Information Integration/DoD Chief Information Officer and the Under\n    Secretary of Defense for Personnel and Readiness:\n\n           1. Provide DoD Components with a standardized definition for\n    employees with significant security responsibilities for information\n    technology that require specialized training to use in meeting Federal\n    Information Security Management Act requirements.\n\n    Management Comments. Management does not concur. The Director, Defense\n    Information Assurance Program commented that the recommendation is no longer\n    applicable because it has been completed. Employees with significant\n    information technology security responsibilities are defined in Appendix AP1 of\n    the Draft Manual DoD 8570.1-Manual and the DoD Federal Information Security\n    Management Act Reporting Guidance for FY 2004, 15 March 2004.\n\n    Audit Response. The Director, Defense Information Assurance Program\n    comments are nonresponsive. DoD Directive 8570.1, \xe2\x80\x9cInformation Assurance\n    Training, Certification, and Workforce Management,\xe2\x80\x9d August 15, 2004,\n    established that it is DoD policy that privileged users and information assurance\n    managers shall be fully qualified, trained, and certified to DoD baseline\n    requirements to perform their information assurance duties. Personnel\n    performing information assurance privileged user or management functions,\n    regardless of job series or military specialty, shall be appropriately identified in\n    the DoD Component personnel databases. All information assurance personnel\n    shall be identified, tracked, and managed so that information assurance positions\n\n\n                                         10\n\x0care staffed with personnel trained and certified by category, level, and function.\nAll positions involved in the performance of information assurance functions\nshall be identified in appropriate manpower databases by category and level. The\nstatus of the DoD Component information assurance certification and training\nshall be monitored and reported as an element of mission readiness and as a\nmanagement review item as stated in DoD Instruction 8500.2. DoD Directive\n8570.1 specifically requires the Assistant Secretary of Defense for Networks and\nInformation Integration/DoD Chief Information Officer to develop and\npromulgate additional guidance relating to information assurance training,\ncertification, and workforce management requirements. Further, it directs that\npersonnel and manpower databases under Under Secretary of Defense for\nPersonnel and Readiness authority capture and report requirements for\ninformation assurance training and certification. As indicated in finding A, DoD\nguidance since 1998 has acknowledged a need to identify personnel performing\ninformation assurance and information technology duties, to develop training and\ncertification requirements for those people, and to implement a process for\ntracking implementation of those requirements. This need cannot be met without\ndefining the personnel to whom it pertains. An implementing manual for DoD\nDirective 8570.1 has not yet been issued; until such a manual is issued and\ncomplied with, this recommendation will not be completed. We request that both\nthe Assistant Secretary of Defense for Networks and Information Integration/DoD\nChief Information Officer and the Under Secretary of Defense for Personnel and\nReadiness provide additional comments in response to the final report.\n\n       2. Establish a specific reporting process for reviewing and approving:\n\n             a. methodologies used by DoD Components to identify\nemployees with significant information technology security responsibilities,\n\n              b. training and certification requirements developed by the\nDoD Components for their employees with significant information\ntechnology security responsibilities, and\n\n              c. tracking processes that DoD Components use to determine\nhow many of their employees with significant security responsibilities for\ninformation technology have received specialized training.\n\nManagement Comments. The Director, Defense Information Assurance\nProgram does not concur with this recommendation. US Code Title 10 assigns\nthe Services specific responsibilities for equipping, training, and providing the\nforces. The Services review and provide oversight for their training programs.\nThe Office of the Secretary of Defense provides the framework for the\nComponents to address Recommendations a., b., and c. The Assistant Secretary\nof Defense for Networks and Information Integration has been working with\nUnder Secretary of Defense of Personnel and Readiness to develop\nmethodologies for DoD Components to identify information assurance positions,\nand manage and track employee training and certification requirements.\n\nAudit Response. The Director, Defense Information Assurance Program\ncomments are nonresponsive. See the audit response to management comments\non Recommendation 1. In addition, DoD Directive 8570.1, \xe2\x80\x9cInformation\nAssurance Training, Certification, and Workforce Management,\xe2\x80\x9d\n\n                                    11\n\x0cAugust 15, 2004, directs that the Under Secretary of Defense of Personnel and\nReadiness shall establish oversight for approval and coordination of certification\ndevelopment and implementation, require that personnel and manpower databases\nunder the Under Secretary of Defense of Personnel and Readiness authority\ncapture and report requirements for information assurance training and\ncertification, and require the head of the DoD Components to determine\nrequirements for military and civilian manpower and contract support for\nprivileged users and information assurance managers. These actions have not\noccurred. We request that both the Assistant Secretary of Defense for Networks\nand Information Integration/DoD Chief Information Officer and the Under\nSecretary of Defense of Personnel and Readiness provide additional comments in\nresponse to the final report.\n\n       3. Continue to report necessary corrective actions, including the\ndevelopment of certification standards for employees with significant\ninformation technology security responsibilities and the process for\nidentifying and tracking personnel who perform that function, to the\nSecretary of Defense for inclusion in the DoD Federal Managers Financial\nIntegrity Act reports.\n\nManagement Comments. The Director, Defense Information Assurance\nProgram does not concur with this recommendation, based on his response to\nRecommendations 1. and 2. The DoD Chief Information Officer will continue to\nprovide updates on the progress of implementing the requirements of Draft\nDoD 8570.1-M.\n\nAudit Response. The Director, Defense Information Assurance Program\ncomments are nonresponsive. See the audit response to management comments\non Recommendations 1. and 2. Further, in FY 2002, DoD stated that the DoD\nChief Information Officer would complete enterprisewide certification standards\nfor information assurance and information technology professionals by May\n2003; identify and track information assurance and information technology\ncivilian personnel in databases by June 2003; and identify and track information\nassurance and information technology military personnel in databases by June\n2004, in accordance with the Federal Managers Financial Integrity Act of 1982.\nThese actions have not occurred. We request that both the Assistant Secretary of\nDefense for Networks and Information Integration/DoD Chief Information\nOfficer and the Under Secretary of Defense for Personnel and Readiness provide\nadditional comments in response to the final report.\n\n       4. Develop a Plan of Action and Milestones to address the significant\ndeficiency in specialized training. The Plan of Action and Milestones should\ninclude Recommendations 1. and 2. as part of the planned actions needed to\ncorrect the overall significant deficiency and should include estimated\ncompletion dates for those planned actions.\n\nManagement Comments. Management does not concur. The Director, Defense\nInformation Assurance Program commented that this recommendation is no\nlonger applicable based on his response to Recommendations 1. and 2. The\nDirector, Defense Information Assurance Program does not agree that DoD has a\n\n\n\n                                    12\n\x0csignificant weakness in specialized training, and stated that.findings A and B of\nthe Office of the Inspector General report do not identify specialized training as a\nsignificant deficiency.\n\nAudit Response. The Director, Defense Information Assurance Program\ncomments are nonresponsive. See the audit response to management comments\non Recommendations 1. and 2. Further, the DoD FY 2003 Federal Information\nSecurity Management Act report contained a Plan of Action and Milestone, which\nstated that additional training material would be provided to DoD employees;\nhowever, it was incomplete because it did not address weaknesses and corrective\nactions discussed in either the FY 2002 Federal Managers Financial Integrity Act\nreport or the 1999 information assurance and information technology human\nresources integrated process team report. In addition, the Plan of Action and\nMilestone did not provide estimated completion dates for the planned corrective\nactions. We request that both the Assistant Secretary of Defense for Networks\nand Information Integration/DoD Chief Information Officer and the Under\nSecretary of Defense for Personnel and Readiness provide additional comments in\nresponse to the final report.\n\n       5. Require DoD Components to specify in their data call responses to\nthe Federal Information System Management Act:\n\n              a. the process used to identify employees with significant\ninformation technology security responsibilities,\n\n              b. the training requirements for employees with significant\ninformation technology security responsibilities, and\n\n              c. the process used to track and monitor compliance with\nthose training requirements.\n\nManagement Comments. The Director, Defense Information Assurance\nProgram, does not concur with this recommendation, and stated that this level of\ndetail is not required in the E-Government Act and the Office of Management and\nBudget Federal Information Security Management Act guidance. DoD does\nreport general training descriptions as part of the DoD response to the Office of\nManagement and Budget\xe2\x80\x99s Federal Information Security Management Act\nreporting guidance.\n\nAudit Response. The Director, Defense Information Assurance Program\ncomments are nonresponsive. The E-Government Act of 2002 states that the\nNational Institute of Standards and Technology shall have the mission of\ndeveloping standards, guidelines, and minimum requirements for operating and\nproviding security for information systems. National Institute of Standards and\nTechnology 800-50 states that Chief Information Officers should establish overall\nstrategy for the security awareness and training program and ensure that effective\ntracking and reporting processes are in place. A security awareness and training\nplan should include roles and responsibilities of personnel, and courses, material,\nand documentation of each aspect of the program. National Institute of Standards\nand Technology 800-50 also recommends the use of an automated tracking\nsystem to maintain information on program activity. National Institute of\nStandards and Technology 800-16 emphasizes a focus on roles and\n\n                                     13\n\x0cresponsibilities of an employee, as opposed to job titles, as a way of ensuring all\nemployees receive proper training. DoD has neither adapted the National\nInstitute of Standards and Technology guidance nor issued more stringent\nguidance to meet the requirements of the E-Government Act and should therefore\ndetermine the basis for DoD Component responses to the annual Federal\nInformation Security Management Act data calls. We request that both the\nAssistant Secretary of Defense for Networks and Information Integration/DoD\nChief Information Officer and the Under Secretary of Defense for Personnel and\nReadiness provide additional comments in response to the final report.\n\n        6. Qualify the DoD annual Federal Information Security\nManagement Act report to the Office of Management and Budget to\nacknowledge that the specialized training information provided has been\nself-reported by the DoD Components and that the DoD Chief Information\nOfficer does not have enterprisewide standards, metrics, or tracking\nmechanisms with which to verify that information.\n\nManagement Comments. The Director, Defense Information Assurance\nProgram does not concur with this recommendation, and stated that enterprise\nstandards, metrics, and tracking mechanisms have been identified within DoD\nDirective 8570.1 and Draft DoD 8570.1-M.\n\nAudit Response. The Director, Defense Information Assurance Program\ncomments are nonresponsive. DoD Directive 8570.1 states that the DoD Chief\nInformation Officer shall establish metrics to monitor and validate compliance\nwith Directive 8570.1 as an element of mission readiness, but the Directive does\nnot include what the metrics are. DoD Directive 8570.1 requires the Assistant\nSecretary of Defense for Networks and Information Integration/DoD Chief\nInformation Officer to develop and promulgate additional guidance relating to\ninformation assurance training, certification, and workforce management\nrequirements. Further, it directs that personnel and manpower databases under\nUnder Secretary of Defense for Personnel and Readiness authority capture and\nreport requirements for information assurance training and certification. As\nindicated in finding A, DoD guidance since 1998 has acknowledged a need to\nidentify personnel performing information assurance and information technology\nduties, to develop training and certification requirements for those people, and to\nimplement a process for tracking implementation of those requirements. An\nimplementing manual for DoD Directive 8570.1 has not yet been issued. Until\nsuch a manual is issued and complied with, the DoD annual Federal Information\nSecurity Management Act report to the Office of Management and Budget and\nCongress should be appropriately qualified. We request that both the Assistant\nSecretary of Defense for Networks and Information Integration/DoD Chief\nInformation Officer and the Under Secretary of Defense for Personnel and\nReadiness provide additional comments in response to the final report.\n\n       7. Incorporate Recommendations 1. and 2. into the implementing\nmanual for DoD Directive 8570.1, \xe2\x80\x9cInformation Assurance Training,\nCertification, and Workforce Management.\xe2\x80\x9d\n\nManagement Comments. Management does not concur. The Director, Defense\nInformation Assurance Program commented that the Office of the Inspector\n\n\n                                     14\n\x0cGeneral Recommendation 7 is not applicable. Please see responses to\nRecommendations 1. and 2.\n\nAudit Response. The Director, Defense Information Assurance Program\ncomments are nonresponsive. Please refer to Audit Response to management\ncomments on Recommendations 1. and 2. We request that both the Assistant\nSecretary of Defense for Networks and Information Integration/DoD Chief\nInformation Officer and the Under Secretary of Defense for Personnel and\nReadiness provide additional comments in response to the final report.\n\n        8. Provide direct assistance and oversight to the Chief Information\nOfficers of the Defense Commissary Agency and Defense Contract\nManagement Agency to improve their Component-level security programs\nfor training and certifying employees with significant information technology\nsecurity responsibilities until the DoD Chief Information Officer deems that\nthe Component programs are adequate. If insufficient resources are\navailable to provide such assistance and oversight, request immediate staff\naugmentation from the Secretary of Defense specifically for improving the\nDoD training program for DoD employees with significant security\nresponsibilities for information technology.\n\nManagement Comments. The Director, Defense Information Assurance\nProgram does not concur with this recommendation. As part of the\nimplementation plan for the Draft DoD 8570.1-Manual requirements, the Defense\nInformation Assurance Program is providing \xe2\x80\x9cstart-up\xe2\x80\x9d sessions to ensure\nComponent Chief Information Officers, human resources, and budget managers\nknow and understand the requirements and are coordinating to meet them.\nAdditionally, the Defense Information Assurance Program will have liaisons\n(Subject Matter Experts on implementing 8570.1-M) available on-call to the\nComponents to support their initial implementation requirements.\n\nAudit Response. The Director, Defense Information Assurance Program\ncomments are nonresponsive. Please refer to audit response to management\ncomments on Recommendations 1. and 2. We request that both the Assistant\nSecretary of Defense for Networks and Information Integration/DoD Chief\nInformation Officer and the Under Secretary of Defense for Personnel and\nReadiness provide additional comments in response to the final report.\n\n\n\n\n                                  15\n\x0c            B. Security Awareness Training\n            The DoD CIO did not ensure that security awareness training information\n            that the DoD Components reported in response to FISMA data calls was\n            accurate and supportable. Specifically, the DoD CIO did not ensure that\n            the DoD Components had effective processes in place to track and\n            monitor completion of security awareness training requirements.\n            Although DeCA and WHS had processes in place to ensure that new\n            employees receive initial security awareness training, WHS was the only\n            agency of the three reviewed that had a process to ensure that their\n            network users were receiving the required periodic training. This\n            condition occurred because the DoD CIO had not established a specific\n            reporting process to monitor and oversee DoD Components compliance\n            with DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA)\n            Implementation.\xe2\x80\x9d As a result, DoD security awareness training\n            information reported in FY 2004 cannot be relied upon to accurately\n            reflect DoD enterprisewide compliance with FISMA requirements, and\n            network users that have not received training could introduce security\n            vulnerabilities into DoD networks.\n\n\nFederal Criteria\n     The Computer Security Act of 1987 established the initial requirement for\n     periodic training for all persons involved in management, use, or operation of\n     Federal computer systems that contain sensitive information. Security awareness\n     training enhances employees\xe2\x80\x99 awareness of the threats to and vulnerability of\n     computer systems. OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal\n     Automated Information Resources,\xe2\x80\x9d added a requirement for initial security\n     awareness training before allowing individuals access to Federal computer\n     systems. FISMA reinforced those requirements by requiring Federal agencies to\n     develop, document, and implement an agencywide information security program.\n     The programs must include security awareness training to inform all information\n     system users, including contractors, of the information security risks associated\n     with their activities and their responsibilities to comply with agency policies and\n     procedures designed to reduce these risks.\n\n     OMB Memorandum 04-25, \xe2\x80\x9cFY 2004 Reporting Instructions for the Federal\n     Information Security Management Act,\xe2\x80\x9d August 23, 2004, instructs Federal\n     agencies to report the number of employees that they had in FY 2004 and how\n     many of those employees received IT security awareness training in FY 2004, as\n     described in NIST 800-50, \xe2\x80\x9cBuilding an Information Technology Security\n     Awareness and Training Program,\xe2\x80\x9d October 2003.\n\n     According to NIST 800-50, an effective IT security awareness and training\n     program explains the proper rules of behavior for the use of agency IT systems\n     and information, communicates IT security policies and procedures that need to\n     be followed, reinforces good security practices, and teaches individuals to\n     recognize IT security concerns and respond accordingly. NIST 800-50 lists 27\n     topics that could be addressed during awareness training, such as password usage,\n\n\n                                         16\n\x0c     viruses, Web usage policy, social engineering, incident response, changes in\n     system environment, and security for handheld devices. Agency CIOs should\n     establish overall strategy for the IT security awareness and training program;\n     ensure that the agency head, senior managers, and others understand the concepts\n     and strategies of the security awareness and training program and are informed of\n     the progress of the program\xe2\x80\x99s implementation; and ensure that effective tracking\n     and reporting mechanisms are in place. For more information on NIST 800-50,\n     see Appendix B.\n\n\nDoD Guidance\n     DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d\n     February 6, 2003, requires all DoD employees and IT users to maintain a degree\n     of understanding of IA policies and doctrine commensurate with their\n     responsibilities. Each user should be capable of appropriately responding to and\n     reporting suspicious activities and conditions and know how to protect the\n     information that they access. To achieve this understanding, all DoD employees\n     and IT users shall receive both initial and periodic IA security awareness training.\n     DISA develops and provides awareness products, DoD Component Heads ensure\n     that IA awareness training is provided to all military and civilian personnel,\n     including contractors, and the DoD CIO provides oversight of DoD IA awareness\n     activities.\n\n     Although not in effect at the time of our reviews of DeCA, DCMA, and WHS,\n     DoD issued additional guidance on security awareness training. DoD\n     Directive 8570.1, \xe2\x80\x9cIA Training, Certification, and Workforce Management,\xe2\x80\x9d\n     August 15, 2004, has similar requirements to DoD Instruction 8500.2, but\n     strengthens the DoD awareness program by specifying that all IT users shall\n     receive annual security awareness training rather than periodic training.\n\n\nInitial Security Awareness Training.\n     DeCA and WHS both had processes in place to ensure that new employees\n     receive initial security awareness training. They both provided new users with\n     access to the network for a limited time for them to be able to complete the initial\n     security awareness training. If the training was not completed during that time,\n     network access was revoked. DCMA required new users to take initial security\n     awareness training, but did not have a process to ensure that they took the\n     training.\n\n     DeCA Initial Security Awareness Training. DeCA implemented an initial\n     security awareness training program in the fall of 2003. Each new user is granted\n     access to the network for 10 days. Users must complete the initial security\n     awareness training and provide their certificates to their supervisors who forward\n     to them to the Network Access Administrator. After they receive the certificates,\n     new users will be granted permanent access to the network. If a training\n     certificate is not forwarded to the Network Access Administrator within 10 days,\n     the new user\xe2\x80\x99s network account will automatically expire.\n\n                                          17\n\x0c    DCMA Initial Security Awareness Training. DCMA made initial security\n    awareness training available to new users on a continual basis. The training was\n    included on a list of mandatory training courses on the DCMA Website. Users\n    must provide their training certificates to their training coordinator upon\n    completion; however, there was limited oversight within DCMA to ensure that\n    new users complied with that requirement.\n\n    WHS Initial Security Awareness Training. WHS required all new employees\n    to take initial security awareness training. New employees were granted 24-hour\n    access to the network after receiving a security briefing from their IA Officer. If\n    the new employee did not complete and pass the security awareness training\n    within 24 hours, their user access was automatically revoked.\n\n\nPeriodic Security Awareness Training\n    The effectiveness of security awareness training varied among DoD Components.\n    For example, DeCA and DCMA did not know how many of their employees with\n    network access had received periodic security awareness training because they\n    did not track and monitor completion of the training. Additionally, DeCA and\n    DCMA could not provide supporting documentation for the information they\n    provided for FISMA in FY 2003. In contrast, WHS was able to verify that all\n    employees had completed security awareness training by comparing personnel\n    records against security awareness training records.\n\n    DeCA. Although DeCA made security awareness training available to its\n    employees by putting the training course on the intranet in January 2003, DeCA\n    did not formally require periodic security awareness training until May 2004. On\n    May 5, 2004, an e-mail informed all DeCA employees that security awareness\n    training would be required annually and that all employees with network access\n    were to take the training by May 21, 2004. DeCA uses the DISA \xe2\x80\x9cDoD\n    Information Assurance Awareness\xe2\x80\x9d training CD, which is on the DeCA Website\n    and is accessible to all DeCA employees with network access.\n            DeCA Tracking and Monitoring Efforts. Prior to May 2004, DeCA did\n    not have a Componentwide process to track and monitor personnel who\n    completed security awareness training. When employees completed the training,\n    they printed out a blank certificate, wrote in their name, dated and signed the\n    certificate, and provided it to their supervisor. DeCA did not have a central\n    location where all of the certificates were maintained or a database to document\n    which employees had taken training. During the audit, DeCA compiled security\n    awareness training records through a data call to its four regions and recorded that\n    information in an Excel spreadsheet. The training records provide DeCA with a\n    rough estimate of how many people have taken the training, but it is not the best\n    way to track and monitor completion of security awareness training. For\n    example, DeCA cannot identify specific people who have not taken the training or\n    ensure that all DeCA employees have responded to the data call unless a\n    comparison against a personnel roster or list of network users is conducted. Such\n    a comparison would be time-consuming unless it is integrated with the database\n    or spreadsheet used to document the security awareness training completion\n\n\n                                         18\n\x0crecords. DeCA plans to incorporate the security awareness course into its Center\nfor Learning\xe2\x80\x99s ToolBook, which will automatically track who completes the\ntraining.\n\n        DeCA Security Awareness Training Records. DeCA provided the\nExcel spreadsheet that contained completion dates for the security awareness\ntraining, as reported by the employees, for training completed from August 1,\n2002, through May 31, 2004. Although DoD reported that all 17,876 DeCA\nemployees received security awareness training in FY 2003, DeCA did not have\naccurate records on exactly how many employees completed the training during\nFY 2003. DeCA made security awareness training available to employees during\n2003, but it did not keep records on the completion of that training until 2004.\nBased upon the records provided by DeCA as of May 31, 2004, only\n5,322 employees had completed security awareness training in FY 2004. Many\nDeCA employees, such as those that work in the commissaries, do not have\nnetwork access and therefore are not required to take the security awareness\ntraining, but DeCA did not have a process to identify those employees that had\nnetwork access and whether they had received the required security awareness\ntraining.\n\nDCMA. DCMA required all employees, including contractors, to take security\nawareness training every fiscal year. An e-mail is sent out every year to all\nDCMA employees to inform them of the annual security awareness training\nrequirement. For example, DCMA sent out an e-mail on October 3, 2003,\nrequiring all employees to complete the training by November 14, 2003. DCMA\nuses the Computer Security Awareness Training program, which is accessible\nthrough the DCMA intranet home page, to accomplish security awareness\ntraining. DCMA updates the security awareness training program around the\nbeginning of every fiscal year, so that employees are not taking the same training\neach year.\n\n        DCMA Tracking and Monitoring Efforts. The Computer Security\nAwareness Training program includes a database that is updated every time a\nDCMA employee completes the security awareness training. The database\nincluded names of employees that had completed the training and the date that\nthey completed the training. However, the database could not be used to quickly\nidentify those who had not taken the training because it only included employees\nthat had completed the training, rather than all DCMA employees. DCMA\nperiodically checks agencywide compliance with its security awareness training\nrequirements by comparing the total number of records in the Computer Security\nAwareness Training database against the number of DCMA employees reported\nby the personnel office. However, DCMA did not take any action if the number\nof records in the Computer Security Awareness Training database was less than\nthe total number of DCMA employees.\n\n       DCMA Security Awareness Training Records. DCMA did not have\nsupporting documentation for the security awareness training information\nprovided in FY 2003. Officials were only able to provide records from their\nComputer Security Awareness Training database for security awareness training\ncompleted from September 10, 2003, through May 5, 2004. Although DoD\nreported that all 11,127 DCMA employees received security awareness training in\nFY 2003, based upon the records provided by DCMA, only 25 employees\n\n                                    19\n\x0ccompleted security awareness training in FY 2003. However, through\nMay 5, 2004, the Computer Security Awareness Training database contained\n10,599 records for security awareness training completed in FY 2004. Of those\n10,599 records, 9,767 were for training completed between October 3, 2003,\nwhen they were notified to take the training, and November 14, 2003, the date by\nwhich they were required to complete the training. The Computer Security\nAwareness Training database provides DCMA with a rough estimate of how\nmany people have taken the training. However, without a comparison to a\npersonnel roster or list of network users, DCMA will not know the exact number\nof employees requiring and receiving security awareness training. For example,\nsince the Computer Security Awareness Training database automatically creates a\nrecord every time someone completes the online training, it would inadvertently\ninclude employees who had taken the training, but had subsequently left the\nagency and employees who had taken the training more than once.\n\nWHS. WHS required annual security awareness training for all WHS employees.\nEach of the six WHS directorates sends an e-mail every year to its employees to\ninform them of the training requirement and the completion date for their\ndirectorate. Employees complete security awareness training and testing on an\nintranet Web site maintained by the WHS CIO office. After reading the training\nmaterial, employees must answer 12 of 16 multiple choice questions correctly.\nWHS is replacing its security awareness training program with the Learning\nManagement System, which is a Web-based security awareness training program.\nThe Financial Management Directorate and Information Technology Management\nDirectorate began using the new training in the spring of 2004.\n\n        WHS Tracking and Monitoring. Each directorate performs periodic,\ncompliance checks of personnel and training information to ensure that all WHS\nusers receive the security awareness training before or shortly after their required\ntraining completion date. Each directorate IT manager obtains personnel records\nfrom the administrative officer to determine the universe of employees in the\ndirectorate and notifies the employees that they must take the training. When\nemployees complete the training, the training program automatically sends an\ne-mail to the directorate IT manager. The IT manager populates an Excel\nspreadsheet with all the names received from the administrative officer and adds\nthe date that each employee completed training. The IT manager is responsible\nfor identifying and contacting anyone who has not taken the security awareness\ntraining.\n\n       WHS Security Awareness Training Records. DoD reported that in\nFY 2003 all 1,707 WHS employees had completed security awareness training.\nWHS provided us with their security awareness training records on May 20, 2004.\nWHS does not keep records on a fiscal year basis or maintain historical records of\ndates when employees previously completed security awareness training.\nHowever, WHS was able to provide records that showed that all 1,644 WHS\nemployees had completed security awareness training, according to the\nrequirements that each WHS directorate designated for its employees. WHS does\nhave a process in place to track whether their employees complete training, and\nthe IT managers contact employees when they are due to complete training.\n\n\n\n\n                                     20\n\x0cFISMA Reporting\n    DoD reported unsupportable information to OMB and Congress in its FY 2003\n    FISMA report. DoD reported that all 17,876 DeCA employees, all\n    11,127 DCMA employees, and all 1,707 WHS employees had received IT\n    security awareness training in FY 2003. DeCA and DCMA were unable to\n    provide supporting documentation for those numbers. Further, they did not have\n    a process in place to track and monitor completion of security awareness training\n    that would allow them to report accurately for FY 2004. Until the DoD CIO\n    requires all DoD Components to have acceptable methods for tracking,\n    monitoring, and documenting completion of security awareness training\n    requirements, DoD will be unable to provide accurate and meaningful information\n    on its security awareness training to OMB and Congress.\n\n\nConclusion\n    Recent attacks against the DoD information infrastructure have heightened\n    awareness of the importance of training as a critical component of protecting DoD\n    information resources against modern day cyber attacks. The DoD warfighting\n    capability and the security of its information infrastructure are at great risk from\n    attacks by foreign intelligence organizations, cyber terrorists, and the\n    incompetence\xe2\x80\x99s of some of its own users. The shared risk environment created by\n    highly connected and interdependent DoD information systems makes it\n    imperative that all individuals using, administering, and maintaining those\n    systems understand the threats and the policies, procedures, and equipment\n    designed to mitigate those threats. Network users that have not received security\n    awareness training could introduce security vulnerabilities into DoD networks. If\n    employees are not informed of applicable organizational policies and procedures,\n    they cannot be expected to act effectively to secure computer resources.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    B. We recommend that Assistant Secretary of Defense for Networks and\n    Information Integration/DoD Chief Information Officer and the Under\n    Secretary of Defense for Personnel and Readiness:\n\n           1. Require each DoD Component to provide a plan for how it will\n    track and monitor completion of security awareness training for their\n    network users.\n\n    Management Comments. Management does not concur. The Director, Defense\n    Information Assurance Program commented that the recommendation is no longer\n    applicable as it has been completed. Chapters 6, 7, and 8 of the Draft\n    DoD 8570.1-M identify information assurance workforce identification, tracking,\n    and reporting requirements.\n\n\n                                        21\n\x0cAudit Response. The Director, Defense Information Assurance Program\ncomments are nonresponsive. DoD Directive 8570.1 requires that all authorized\nusers of DoD information systems shall receive initial information assurance\nawareness orientation as a condition of access and thereafter must complete\nannual information assurance refresher awareness. Further, the Directive\nspecifies that the status of DoD Component information assurance certification\nand training shall be monitored and reported as an element of mission readiness\nand as a management review item. The Assistant Secretary of Defense for\nNetworks and Information Integration is charged with the responsibility to\nestablish metrics to monitor and validate compliance with the Directive as an\nelement of mission readiness, and the Under Secretary of Defense for Personnel\nand Readiness is charged with establishing oversight for approval and\ncoordination of certification development and implementation. An implementing\nmanual for DoD Directive 8570.1 has not yet been issued; until such a manual is\nissued and complied with, this recommendation will not be completed. We\nrequest that both the Assistant Secretary of Defense for Networks and Information\nIntegration/DoD Chief Information Officer and the Under Secretary of Defense\nfor Personnel and Readiness provide additional comments in response to the final\nreport.\n\n       2. Periodically review supporting documentation to ensure that the\nComponents\xe2\x80\x99 plans are effectively implemented and to document completion\nof those reviews.\n\nManagement Comments. The Director, Defense Information Assurance\nProgram does not concur with this recommendation, and stated that there is no\nrequirement to perform Component inspections. However, DoD-wide standards,\nprocesses and procedures will be in place to support DoD management of these\nrequirements. Additionally, the Defense Information Assurance Program is\nworking with Components as they develop their plans to implement the\nrequirements of DoD 8570 and will provide implementation support.\n\nAudit Response. The Director, Defense Information Assurance Program\ncomments are nonresponsive. National Institute of Standards and Technology\n800-50 states that when a security awareness and training program is\nimplemented, processes must be put in place to monitor compliance and\neffectiveness. DoD Directive 8570.1 requires that all authorized users of DoD\ninformation systems shall receive initial information assurance awareness\norientation as a condition of access and thereafter must complete annual\ninformation assurance refresher awareness. Further, the Directive specifies that\nthe status of DoD component information assurance certification and training\nshall be monitored and reported as an element of mission readiness and as a\nmanagement review item. The Assistant Secretary of Defense for Networks and\nInformation Integration is charged with responsibility to establish metrics to\nmonitor and validate compliance with the Directive as an element of mission\nreadiness, and the Under Secretary of Defense for Personnel and Readiness is\ncharged with establishing oversight for approval and coordination of certification\ndevelopment and implementation. An implementing manual for DoD\nDirective 8570.1 has not yet been issued; until such a manual is issued and\ncomplied with, this recommendation will not be completed. We request that both\nthe Assistant Secretary of Defense for Networks and Information Integration/DoD\n\n\n                                    22\n\x0cChief Information Officer and the Under Secretary of Defense for Personnel and\nReadiness provide additional comments in response to the final report.\n\n       3. Develop a Plan of Action and Milestones to address the security\nawareness training weakness. The Plan of Action and Milestones should\ninclude Recommendations 1. and 2. as part of the planned actions needed to\ncorrect the overall weakness and should include estimated completion dates\nfor those planned actions.\n\nManagement Comments. The Director, Defense Information Assurance\nProgram does not concur that DoD has a security awareness training weakness\nthat requires a Plan of Action and Milestones at the enterprise level. The Director\nstated that the limited scope of the audit is not sufficient to support this\nconclusion.\n\nAudit Response. The Director, Defense Information Assurance Program\ncomments are nonresponsive. The scope of the audit included Federal laws,\nOffice of Management and Budget guidance, National Institute of Standards and\nTechnology guidance, and DoD Directives, Instructions, and Memorandums to\ndetermine the root cause of compliance deficiencies with these criteria at three\nDoD Components who reported 100 percent compliance with security training\nand awareness data calls in FY 2003. See also our response to management\ncomments on Recommendations 1. and 2. We request that both the Assistant\nSecretary of Defense for Networks and Information Integration/DoD Chief\nInformation Officer and the Under Secretary of Defense for Personnel and\nReadiness provide additional comments in response to the final report.\n\n        4. Qualify its annual Federal Information Security Management Act\nreport to the Office of Management and Budget to acknowledge that the\nsecurity awareness training information provided has been self-reported by\nthe DoD Components and the DoD Chief Information Officer does not have\nenterprisewide standards, metrics, or tracking mechanisms with which to\nverify that information.\n\nManagement Comments. The Director, Defense Information Assurance\nProgram does not concur with this recommendation. The Director stated that\nenterprise standards, metrics, and tracking mechanisms have been identified\nwithin DoD Directive 8570.1 and Draft DoD 8570.1-M.\n\nAudit Response. The Director, Defense Information Assurance Program\ncomments are nonresponsive. DoD Directive 8570.1 requires that all authorized\nusers of DoD information systems shall receive initial information assurance\nawareness orientation as a condition of access and thereafter must complete\nannual information assurance refresher awareness. Further, the Directive\nspecifies that the status of DoD Component information assurance certification\nand training shall be monitored and reported as an element of mission readiness\nand as a management review item. The Assistant Secretary of Defense for\nNetworks and Information Integration is charged with the responsibility to\nestablish metrics to monitor and validate compliance with the Directive as an\nelement of mission readiness, and the Under Secretary of Defense for Personnel\nand Readiness is charged with establishing oversight for approval and\ncoordination of certification development and implementation. An implementing\n\n                                    23\n\x0cmanual for DoD Directive 8570.1 has not yet been issued. Until such a manual is\nissued, and complied with, the DoD annual Federal Information Security\nManagement Act report to the Office of Management and Budget and Congress\nshould be appropriately qualified. We request that both the Assistant Secretary of\nDefense for Networks and Information Integration/DoD Chief Information\nOfficer and the Under Secretary of Defense for Personnel and Readiness provide\nadditional comments in response to the final report.\n\n        5. Provide direct assistance and oversight to the Chief Information\nOfficers of the Defense Commissary Agency and Defense Contract\nManagement Agency to improve their Component-level security programs\nfor security awareness training until the DoD Chief Information Officer\ndeems that the Component programs are adequate. If insufficient resources\nare available to provide such assistance and oversight, request immediate\nstaff augmentation from the Secretary of Defense specifically for improving\nthe DoD security awareness program.\n\nManagement Comments. The Director, Defense Information Assurance\nProgram does not concur with this recommendation. As part of the\nimplementation plan for the Draft DoD 8570.1-M requirements, the Defense\nInformation Assurance Program is providing \xe2\x80\x9cstart-up\xe2\x80\x9d sessions to ensure\nComponent Chief Information Officers, human resources, and budget managers\nknow and understand the requirements and are coordinating to meet them.\nAdditionally, the Defense Information Assurance Program will have liaisons\n(Subject Matter Experts on implementing 8570.1-M) available on-call to the\nComponents to support their initial implementation requirements.\n\nAudit Response. The Director, Defense Information Assurance Program\ncomments are nonresponsive. Please refer to our response to management\ncomments on Recommendation 1. We request that both the Assistant Secretary of\nDefense for Networks and Information Integration/DoD Chief Information\nOfficer and the Under Secretary of Defense for Personnel and Readiness provide\nadditional comments in response to the final report.\n\n\n\n\n                                    24\n\x0cAppendix A. Scope and Methodology\n   We performed this audit to determine whether all agency employees with\n   computer access received IT security awareness training, and whether employees\n   with significant IT security responsibilities received specialized IT training within\n   our review of three DoD Components.\n\n   We reviewed Federal laws, OMB guidance, NIST guidance, and DoD Directives,\n   Instructions and Memorandums. We reviewed DeCA, DCMA, and WHS training\n   guidance, based on the size of the agencies and their geographic locations. We\n   reviewed the lists of all personnel requiring security awareness training and\n   employees with significant IT security responsibilities requiring specialized\n   training. We also obtained and reviewed the records of security awareness\n   training and IT specialized training to determine whether DeCA, DCMA, and\n   WHS employees. were being trained in accordance with Federal laws, OMB\n   guidance, DoD guidance, and their own internal guidance.\n\n   We visited, contacted, and conducted interviews with officials from the Office of\n   the DoD CIO, DeCA, DCMA, and WHS.\n\n   We performed this audit from April 2004 through October 2004 in accordance\n   with generally accepted government auditing standards.\n\n   We did not evaluate management controls because DoD recognized information\n   assurance as a material weakness in the FY 2000 Statement of Assurance.\n\n   Use of Computer-Processed Data. We used each Component\xe2\x80\x99s Defense\n   Civilian Personnel Data System roster to locate the five traditional IT-related\n   occupations and compared them to the number of employees with significant IT\n   security responsibilities that DeCA, DCMA, and WHS had provided. We did not\n   perform a reliability assessment of the computer-processed data, although we did\n   identify a coding and script error and a reversed month and date in a certain\n   period, during our testing of the number of employees that had security awareness\n   training by using Computer Security Awareness Training for DCMA. After the\n   review detected the problem, DCMA took corrective action.\n\n   General Accounting Office High-Risk Area. The General Accounting Office\n   has identified several high-risk areas in DoD. This report provides coverage of\n   the Information Security high-risk area.\n\n\n\n\n                                        25\n\x0cPrior Coverage\n     During the last 5 years, the Inspector General of the Department of Defense\n     (IG DoD) and Naval Audit Service have issued three reports discussing computer\n     security awareness training.\n\nIG DoD\n     IG DoD Report No. D-2004-067, \xe2\x80\x9cImplementation of the Federal Information\n     Security Management Act for FY 2003 at Selected Military Treatment Facilities,\xe2\x80\x9d\n     April 8, 2004\n\nNaval Audit Service\n     N2004-0072, \xe2\x80\x9cInformation Security \xe2\x80\x93 Operational Controls at Naval Air Systems\n     Command Headquarters and Naval Air Warfare Centers,\xe2\x80\x9d August 16, 2004\n\n     N2004-0063, \xe2\x80\x9cInformation Security \xe2\x80\x93 Operational Controls at Naval Aviation\n     Depots,\xe2\x80\x9d July 9, 2004\n\n\n\n\n                                       26\n\x0cAppendix B. National Institute of Standards and\n            Technology Guidance on Security\n            Awareness and Training\n    The Computer Security Act of 1987 tasked NIST to develop and issue guidelines\n    for Federal computer security training. NIST issued Special Publication 500-172,\n    \xe2\x80\x9cComputer Security Training Guidelines,\xe2\x80\x9d in November 1989. In January 1992,\n    the Office of Personnel and Management released a Federal personnel regulation,\n    \xe2\x80\x9cEmployees Responsible for the Management or Use of Federal Computer\n    Systems,\xe2\x80\x9d which required Federal agencies to provide training as set forth in\n    NIST guidelines. In April 1998, the NIST 500-172 was superseded by NIST 800-\n    16, \xe2\x80\x9cInformation Technology Security Training Requirements: A Role- and\n    Performance-Based Model.\xe2\x80\x9d In October 2003, NIST 800-50, \xe2\x80\x9cBuilding an\n    Information Technology Security Awareness and Training Program,\xe2\x80\x9d was issued\n    as a companion document to NIST 800-16. NIST 800-50 describes strategies for\n    building an IT security awareness and training program, and NIST 800-16\n    describes a tactical approach to role-based IT security training.\n\n    NIST 800-50. NIST 800-50 provides guidance for building an effective IT\n    security awareness and training program and supports the requirements specified\n    in FISMA. Training agency IT users on security policy, procedures, and\n    techniques is an important part of any IT security program. Agency heads must\n    give high priority to effective security awareness and training for the workforce.\n    CIO\xe2\x80\x99s should establish overall strategy for the IT security awareness and training\n    program and ensure that effective tracking and reporting processes are in place.\n    A security awareness and training plan should discuss existing policy and the\n    scope of the awareness and training program. The plan should also include the\n    roles and responsibilities of agency personnel; mandatory and optional courses or\n    material; and documentation, feedback, and evidence of learning for each aspect\n    of the program. The security training and awareness plan must be viewed as a set\n    of minimum requirements to be met, and those requirements must be supportable\n    from a budget or contractual perspective. An implementation schedule must be\n    established and should consider availability of resources, organizational impact,\n    and state of compliance.\n\n    NIST 800-50 outlines three possible program structures\xe2\x80\x93centralized, partially\n    decentralized, or fully decentralized program. A centralized program includes a\n    central authority with the responsibility and budget for the entire organization\xe2\x80\x99s\n    IT security awareness and training program. In a partially decentralized program,\n    a central authority defines security awareness and training policy and strategy,\n    and implementation, including budget allocation, material development, and\n    scheduling is delegated to line management officials in the organization. In a\n    fully decentralized program, the central authority disseminates broad policy and\n    expectations for security awareness and training requirements, but gives\n    responsibility for executing the entire program to other organizational units. This\n    model normally uses a series of distributed authority directives, driven by the\n    central authority, and a subsystem of CIOs and IT security program managers\n    subordinate to the central CIO and IT security officer.\n\n\n                                        27\n\x0cThe central authority sets the overall policy, and the organizational units assess\nand develop the security awareness and training material and determine how to\ndeploy it. The central authority may require periodic input from each\norganizational unit on the budget, strategy, and progress report. The central\nauthority may also require the organizational units to report awareness and\ntraining results. Agencies that are relatively large, have general responsibilities\nassigned to headquarters, and specific responsibilities assigned to unit levels,\nhave functions spread over a wide geographic area, or have quasi-autonomous\norganizational units with separate and distinct missions often use a fully\ndecentralized structure.\n\nWhen a security awareness and training program is implemented, processes must\nbe put in place to monitor compliance and effectiveness. NIST 800-50\nrecommends the use of an automated tracking system to capture key information\non program activity at an agency level. The database would serve the needs of\nseveral users. For example, CIO\xe2\x80\x99s could use the database to support strategic\nplanning, report on overall implementation of the IT security awareness and\ntraining program, assist in security and IT budgeting, and identify the need for\nprogram improvements. The IT security program managers could use the\ndatabase to support security planning, provide status reports, justify requests for\nfunding, demonstrate compliance with agency-established goals and objectives,\nidentify vendors and other training sources, and respond to security-related\ninquiries. Auditors could use the database to monitor compliance with security\ndirectives and agency policy. Other users that may have a need for the database\ninclude human resources departments, agency training departments, functional\nmanagers, and chief financial officers.\n\nNIST 800-16. The emphasis of NIST 800-16 is on training criteria or standards,\nrather than on specific curricula or content. Training criteria should be based\nupon each employee\xe2\x80\x99s role within the organization and measured by on-the-job\nperformance. This emphasis on roles and results, rather than on fixed content,\ngives this document flexibility, adaptability, and longevity. The new approach\nrecognizes that an individual may have more than one organizational role and will\nneed IT security training that satisfies the specific responsibilities of each role. In\naddition, because it is not focused on job titles, this approach facilitates more\nconsistent interpretation of training criteria across organizations.\n\nThe NIST 800-16 is based on the premise that learning starts with awareness,\nbuilds to training, and evolves into education. This document defines the IT\nsecurity learning needed as a person assumes different roles within an\norganization, different responsibilities in relation to IT systems, and the\nknowledges, skills, and abilities individuals need to perform the IT security\nresponsibilities specific to their roles in the organization. All employees need\nawareness. Training is required for individuals whose role in the organization\nindicates a need for special knowledge of IT security threats, vulnerabilities, and\nsafeguards. Education applies primarily to individuals who have made IT\nsecurity their profession.\n\n\n\n\n                                      28\n\x0cAppendix C. DoD Requirements\n   June 29, 1998, Memorandum. On June 29, 1998, the DoD CIO and the Under\n   Secretary of Defense for Personnel and Readiness issued, \xe2\x80\x9cInformation Assurance\n   (IA) Training and Certification.\xe2\x80\x9d This memorandum states that the shared risk\n   environment created by highly connected and interdependent DoD information\n   systems makes it imperative that all individuals using, administering, and\n   maintaining shared systems understand the threats to DoD systems and the\n   policies, procedures, and equipment designed to mitigate these threats. The\n   memorandum also stated that many individuals using shared systems or\n   performing the duties of system administrators and maintainers lacked sufficient\n   training to ensure the adequate protection of DoD information resources.\n\n   The DoD CIO tasked the Under Secretary of Defense for Personnel and\n   Readiness to work with the DoD Components to identify a common set of IA\n   training and certification requirements for military and civilian occupational\n   specialties. In the meantime, the memorandum required DoD Component Heads\n   to develop and implement certification plans and procedures for all DoD military\n   and civilian employees who use DoD computer systems or perform the duties of\n   system administrators and maintainers. The certification plans were to be\n   submitted to the Director of Information Assurance within the Office of the DoD\n   CIO within 45 days, the Components were to report on progress against those\n   plans every quarter, and the plans were to be fully implemented by December\n   2000.\n\n   July 14, 2000, Memorandum. On August 27, 1999, the Office of the Secretary\n   of Defense published, \xe2\x80\x9cInformation Assurance and Information Technology:\n   Training, Certification, and Personnel Management in the Department of\n   Defense,\xe2\x80\x9d which included the findings and recommendations of an IA and IT\n   human resources integrated process team composed of representatives from\n   15 DoD Services and agencies. The recommendations were accepted by the\n   Deputy Secretary of Defense on July 14, 2000. The report found that DoD had\n   difficulty determining who its employees with significant IT security\n   responsibilities were because military and civilian employees who perform IT\n   duties are not always assigned to a specific military or civilian IT occupational\n   specialty or series. The report also found that DoD had not identified specific\n   training and certification requirements for employees with significant IT security\n   responsibilities. The report made 19 recommendations related to changing the\n   way in which DoD manages its IT workforce. Recommendations to the Under\n   Secretary of Defense for Personnel and Readiness included requiring the DoD\n   Components to identify all people who perform IT functions in DoD personnel\n   databases and to establish mandatory training or certification programs, or both,\n   to track the status of compliance with the memorandum\xe2\x80\x99s requirements. The\n   recommendation to adopt NIST 800-16 was directed to the DoD CIO.\n\n   On July 14, 2000, the Deputy Secretary of Defense issued a memorandum,\n   \xe2\x80\x9cImplementation of the Recommendations of the Information Assurance and\n   Information Technology Integrated Process Team on Training, Certification and\n   Personnel Management in the Department of Defense,\xe2\x80\x9d which assigned actions to\n   implement each of the 19 recommendations in the report. The memorandum\n\n\n                                       29\n\x0crequired the assigned organizations to develop and submit plans to implement\ntheir respective recommendation(s) to the Deputy Secretary\xe2\x80\x99s office within\n90 days. The memorandum also required the DoD CIO to provide a consolidated\nstatus report on the execution of those plans every 60 days.\n\nDoD Directive 8500.1. DoD Directive 8500.1, \xe2\x80\x9cInformation Assurance (IA),\xe2\x80\x9d\nOctober 24, 2002, and certified current as of November 21, 2003, states that all\npersonnel [with] authorized access to DoD information systems shall be\nadequately trained in accordance with DoD and Component policies and\nrequirements and certified as required to perform the tasks associated with their\nIA responsibilities.\n\nDoD Instruction 8500.2. DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA)\nImplementation,\xe2\x80\x9d February 6, 2003, states that the DoD CIO shall provide\noversight of DoD IA education, training, and awareness activities. Specifically,\nthe DoD CIO is responsible for establishing a DoD core curriculum for IA\ntraining and awareness and establishing IA skills certification standards in\ncoordination with the Office of the Under Secretary of Defense for Personnel and\nReadiness. The DISA Director is required to develop and provide IA training\nand awareness products. DoD Component Heads are required to ensure that IA\nawareness, training, education, and professionalization are provided to all military\nand civilian personnel, including contractors, commensurate with their respective\nresponsibilities for developing, using, operating, administering, maintaining, and\nretiring DoD information systems in accordance with the DoD memorandums\nissued on IA training and certification on June 29, 1998, and July 14, 2000.\n\nCJCS Instruction 6510.01C. Chairman of the Joint Chiefs of Staff\nInstruction 6510.01C, \xe2\x80\x9cInformation Assurance and Computer Network Defense,\xe2\x80\x9d\nMay 1, 2001, states that all DoD Components will establish a training and\ncertification program for Designated Approving Authority, Information System\nSecurity Officer, and system administrator positions using National Security\nTelecommunications and Information Systems Security national training\nstandards. The Components are required to establish and maintain the\ncertification status of system administrators. Certification information will be\nforwarded to DISA and documented in the DoD Central Database. The\nComponents will also develop or use DISA-developed standardized tests for\ncertification of skill level one, two, and three system administrators.\n\nDoD Directive 8570.1. DoD Directive 8570.1, \xe2\x80\x9cInformation Assurance Training,\nCertification, and Workforce Management,\xe2\x80\x9d August 15, 2004, states that the\nDoD CIO shall establish metrics to monitor and validate compliance with this\nDirective; DISA shall provide training and awareness materials for the DoD\nComponents to integrate into their IA training and awareness programs; DoD\nComponents shall \xe2\x80\x9cestablish, resource, and implement\xe2\x80\x9d an IA training and\ncertification program for all DoD Component personnel, and identify, document,\nand track IA personnel certification status in Component personnel databases; and\nthe Under Secretary of Defense for Personnel and Readiness shall require Heads\nof DoD Components to determine the requirements for privileged users and IA\nmanagers, ensure that personnel databases capture and report IA training and\ncertification requirements, and establish oversight for approving and coordinating\ndevelopment and implementation of certification programs.\n\n\n                                    30\n\x0cDoD Directive 8570.1 duplicated several requirements that already existed in\nDoD guidance. DoD Instruction 8500.2, February 2003, already required the\nDoD CIO to provide overall oversight of the IA education, training, and\nawareness activities in DoD and required DISA to develop and promulgate IA\ntraining and awareness products. The June 1998 and July 2000 memorandums, as\nwell as CJCSI 6510.01C, all required the DoD Components to develop IA\ntraining and certification requirements. The June 1998 memorandum already\nrequired the DoD Components to report to the DoD CIO on implementation of\nthose requirements every quarter, the July 2000 memorandum required the DoD\nComponents to identify their employees with significant IT security\nresponsibilities and track compliance with training requirements in personnel\ndatabases, and CJCSI 6510.01C already required Components to forward\ncertification information to DISA for inclusion in the DoD Central Database.\n\n\n\n\n                                 31\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nUnder Secretary of Defense for Personnel and Readiness\nAssistant Secretary of Defense for Networks and Information Integration/DoD Chief\n   Information Officer\nDirector, Program Analysis and Evaluation\n\nJoint Staff\nDirector, Joint Staff\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nOther Defense Organizations\nDirector, Defense Information Systems Agency\nDirector, Defense Commissary Agency\nDirector, Defense Contract Management Agency\nDirector, Washington Headquarters Service\n\nNon-Defense Federal Organization\nOffice of Management and Budget\n\n\n\n\n                                          32\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency and Financial Management, Committee\n  on Government Reform\nHouse Subcommittee on National Security, Emerging Threats, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology, Information Policy, Intergovernmental Relations,\n  and the Census, Committee on Government Reform\n\n\n\n\n                                        33\n\x0c\x0cDefense Information Assurance Program\nComments\n\n\n\n\n       .\n   NETWORKS AND INFORMATION\n          INTEGRATION\n\n             MEMORANDUM\n\n             SUBJECT:\n                                       ASSISTANT SECRETARY OF DEFENSE\n                                               6000 DEFENSE PENTAGON\n                                              WASHINGTON.DC 20301-6000\n\n\n\n\n                                   FOR INSPECTOR\n                                                       a 3 NOV ZOO4\n\n\n\n                                                       GENERAL,      DEPARTMENT        OF DEFENSE\n\n                              Report on DoD FY 2004 Implementation of the Federal Infonnation\n                              Security Management Act for Information Technology Training and\n                              Awareness (Project No. D2004AL-0136)\n\n                     The Department of Defense (DaD) Deputy ChiefInfonnation         Officer (DCIO)\n             does not concur with findings A and B of the Report. The DCIO is concerned that the\n             Report findings are based on an extremely limited sample of three relatively small DoD\n             support Agencies (Defense Commissary Agency (DeCA), Defense Contract Management\n             Agency (DCMA), Washington Headquarters Service (WHS\xc2\xbb. The scope of the audit,\n             which did not include any Services or Combatant Commands, represented less than 1%\n             of total DoD employees and less than 0.2% of employees with significant IT security\n             responsibilities. In contrast to the Report\'s conclusions,the results of the training audit\n             revealed that WHS has a strong IT security training program.\n\n                    The DCIO has completed action on two of the IG Report Recommendations         and\n             two Recommendations    are not applicable. The DCIO does not concur with the remaining\n             nine Recommendations    of the subject Report. As requested, the following responses\n             address the Report\'s Recommendations:\n\n             Part A: SDecialized Trainin!! for EmDlovees with Sil!Dificant Security\n                     ResDonsibilities for Information Technolol!V\n\n             OIG Recommendation         I: Provide DoD Components with a standardized definition for\n             employees with significant security responsibilities for infonnation technology that\n             requires specialized training to use in meeting FISMA requirements.\n\n             DoD Mana!!ement ResDonse: DIG Recommendation               I is no longer applicable as it has\n             been completed. Employees with significant IT security responsibilities are defined in\n             Appendix API of the Draft Manual DoD 8570.l-M and in the Department of Defense\n             Federal Information Security Management Act (FISMA) Reporting Guidance for Fiscal\n             Year 2004,15 March 2004. In accordance with the DoD FISMA guidance, page 2, DoD\n             defines significant security responsibilities as those performed by the Designated\n             Approval Authority (DAA), System AdministratorlNetwork           Administrator (SAlNA),\n             Information System Security Manager (ISSM), Infonnation Assurance Manager (lAM),\n             Information System Security Officer (ISSO), Infonnation Assurance Officer (1A0),\n\n\n\n\n                                                            0\n\n\n\n\n                                                           35\n\x0cComputer Emergency Response Team (CERT) members, and anyone with privileged\naccess to a system or network.\n\nOIG Recommendation       2: In coordination with the Under Secretary of Defense for\nPersonnel and Readiness (USD(P&R\xc2\xbb, establish a specific reporting process for\nreviewing and approving:\n\n           a. methodologies used by DoD Components to identify employees with\nsignificant information technology security responsibilities.\n           b. training and certification requirements developed by the DoD Components\nfor their employees with significant information technology security responsibilities, and\n           c. tracking processes that DoD Components use to determine how many of\ntheir employees with significant security responsibilities for IT have received specialized\ntraining.\n\nDoD Manu:emeDt        ResDonse: The DCIO does not concur with this recommendation.\nUnited States Code Title 10 assigns specific responsibilities to the Services for equipping,\ntraining, and providing the forces. Under this responsibility, the Services arc responsible\nfor the review and oversight of their training programs. The Office of the Secretary of\nDefense (OS D) provides the framework for the Components to address recommendations\na. b and c.\nThe Assistant Secretary of Defense for Networks and Information Integration (ASD(N1I))\nhas been working directly with USD(P&R) to develop methodologies for DoD\nComponents to identify IA positions and manage and track employee training and\ncertification requirements.\n\nOIG Recommendation         3: Continue to report necessary corrective action including the\ndevelopment of standards for employees with significant information technology security\nresponsibilities and the process for identifying and tracking personnel who perform that\nfunction, to the Secretary of Defense for inclusion in the DoD Federal Managers\nFinancial Integrity Act (FMFIA) report.\n\nDoD Mana2eme.t      ResDOnse: The DeIO does not concur with this recommendation\nbased on DoD\'s Management Responses to OIG Recommendations          1 and 2. The DoD\nCIO will continue to provide updates on the progress of implementing the requirements\nof Draft DoD 8S70.1-M.\n\nOIG Recommendation          4: Develop a Plan of Action and Milestones to address the\nsignificant deficiency in specialized training. The POA&M should include\nRecommendations       1. and 2. as part of the planned actions needed to correct the overall\nsignificant deficiency and should include estimated completion dates for those planned\nactions.\n\n\n                                               2\n\n\n\n\n                                              36\n\x0cDoD Manal!ement     Response: This recommendation       is no longer applicable based on\nDoD\'s Management Responses to OIG Recommendations             1,2. The DCIO does not\nagree that DoD has a significant weakness in specialized training. Findings A and B of\nthe OIG report do not identify specialized training as a significant deficiency.\n\nGIG Recommendation      5: Require DoD Components      to specify in their data call\nresponses to the FISMA:\n\n           a. the process used to identify employees with significant information\ntechnology    security responsibilities,\n           b. the training requirement for employees with significant information\ntechnology security responsibilities, and\n           c. the process used to track and monitor compliance with those training\nrequirements.\n\nDoD Mana2ement         Response: The DCIO does not concur with this recommendation as\nthis level of detail is not required in the E-Government Act and the FISMA guidance\nissued by the Office of Management and Budget (OMB). DoD does report general\ntraining descriptions as part of the Department\'s response to OMB\'s FISMA reporting\nguidance.\n\nGIG Recommendation          6: Qualify its annual FISMA report to the OMB to acknowledge\nthat the specialized training information provided has been self-reported by the\nComponents and the DoD CIO does not have enterprise wide standards, metrics, or\ntracking mechanisms with which to verify that information.\n\nDoD Manal!ement      Response: The DCIO does not concur with this recommendation.\nEnterprise standards, metrics and tracking mechanisms have been identified within DaD\nDirective (DoDD) 8570.1, Information Assurance Training, Certification and Workforce\nManagement and Draft DoD 8570.l-M.\n\nGIG Recommendation      7: Incorporate Recommendations  I and 2 into the implementing\nmanual for DoD Directive 8570.1, "Information Assurance Training, Certification, and\nWorkforce Management".\n\nDoD Mana2ement     Response:    OIG Recommendation      7 is not applicable.   Please see\nresponses to Recommendations    I and 2.\n\nGIG Recommendation        8: Provide direct assistance and oversight to the CIOs of the\nDefense Commissary Agency and Defense Contract Management Agency to improve\ntheir Component-level   security programs for training and certifying employees with\nsignificant information technology security responsibilities until the DoD CIO deems that\nthe Component programs are adequate. If insufficient resources are available to provide\n\n\n\n                                            3\n\n\n\n\n                                          37\n\x0csuch assistance and oversight, request immediate staff augmentation form the Secretary\nof Defense specifically for improving the DoD training program for DoD employees with\nsignificant security responsibilities for information technology.\n\nDoD Mana2ement        ResDonse: The DCIO does not concur with this recommendation.\nAs part of the implementation plan for the Draft DoD 8570.I-M requirements, the DIAP\nis providing "start-up" sessions to ensure Component CIOs, human resources, and budget\nmanagers know and understand the requirements and are coordinating to meet them.\nAdditionally, the DIAP will have liaisons (Subject Matter Experts on implementing\n8570.I-M) available on-call to the Components to support their initial implementation\nrequirements.\n\nPart B: "Securitv   Awareness   Traininl!"\n\nOIG Recommendation       1: Require each DoD Component to provide a plan for how it\nwill track and monitor completion of security awareness training for their network users.\n\nDoD Mana2ement         ResDonse: DIG Recommendation   I is no longer applicable as it has\nbeen completed. Chapters 6, 7, and 8 of the Draft DoD 8570.I-M identify 1A workforce\nidentification, tracking, and reporting requirements.\n\nDIG Recommendation     2: Periodically review supporting documentation to ensure that\nthe Component\'s plans are effectively implemented and to document completion of those\nreviews.\n\nDoD Mana2ement        ResDonse: The DCIO does not concur with this recommendation as\nthere is no requirement to perform Component inspections. However, DoD-wide\nstandards, processes and procedures will be in place to support DoD management of\nthese requirements.   Additionally, the DIAP is working with Components as they develop\ntheir plans to implement the requirements of DoD 8570 and will provide implementation\nsupport.\n\nDIG Recommendation         3: Develop a Plan of Action and Milestones to address the\nsecurity awareness training weakness. The POA&M should include Recommendations              I.\nand 2. as part of the planned actions needed to correct the overall weakness and should\nincluded estimated completion dates for those planned actions.\n\nDoD Mana2ement       ReSDonse: The DCIO does not concur that DoD has a security\nawareness training weakness that requires a POA&M at the enterprise level. The limited\nscope of the audit is not sufficient to support this conclusion.\n\nDIG Recommendation         4: Qualify its annual FISMA report to the OMB to acknowledge\nthat the security awareness training information provided has been self-reported by the\n\n\n\n                                             4\n\n\n\n\n                                             38\n\x0cComponents and the DoD CIO docs not bave enterprise wide standards,       metrics, or\ntracking mcchanisl1ll with which to verify that infol111ation.\n\nDoD M8Dall:emeDtRemoDse:         The OCIO does not concur with dUs recommendation.\nEnterprise standards, metric. 8IId tracking mc:cbanisms bave been identified within DoD\nDirective (DoDD) 8570.1, I11formaJion Assurance Training. Cel\'tificatton and Workforce\nManagement and Draft DoD 8570.1-M.\n\nOIG ReeommeadatioD        5: Provide direct wistance and ovcnight to the CIOs of the\nDefense Commissary AgenCy and Defense: Contract Management Agency to improve\ntheir Component-level   security programs for security awarcnCIIS training until the DoD\nCIO deems that the Component programs arc: adequate:. If insufficient fC8OlUCC11    arc:\navailable to provide such assistance and oversight, requcst immediate: staff augmentation\nfonn the Secretary of Defense specifically for improving the DoD training progmm for\nDoD employees with significant security responsibilitics for information technology.\n\nDoD MaD8I!:emeat Resoonse: The OCIO does not concur with this recommendation.\n& part of the implementation plan for the Draft DoD 8570.1-M requirements, the DIAP\nis providing "start-up" sessions to ensure Component CIOs, lwman resources, and budget\nmanagcn know and understand the requirements and arc coordinating to meet them.\nAdditionally, the DIAP will have liaisons (Subject Matter Experts on implementing\n8570. I -M) available on-call to the Components to support their initial implementation\nrequirements.\n\nMy point of contact for this action is George Bieber, 703-602-9980,\ngeorge.bieber@osd.mi1.\n\n\n\n\n                                 ~~   Director, DIAP\n\n\n\n\n                                             5\n\n\n\n\n                                           39\n\x0cTeam Members\nThe Office of the Deputy Inspector General for Auditing of the Department of\nDefense, Acquisition and Technology Management prepared this report.\nPersonnel of the Office of the Inspector General of the Department of Defense\nwho contributed to the report are listed below.\nSarah Davis\nJames Mitchell\nKevin A. Palmer\nLiyang Riggins\nKathryn Truex\nZachary Williams\n\x0c'